This is the second part of a two-part series about considering low-cost tools for starting your insider threat program. In the first part of this series, I discussed the five categories of tools available to insider threat programs to use, as needed, as part of their operations. In this part, I provide examples of low-cost tools that are available in this space.

The following tools may meet one or more needs of your insider threat program. This is not a complete list of tools. CERT hasn't tested them and, as a Federally Funded Research and Development Center (FFRDC), cannot endorse or recommend them specifically, nor can CERT determine their suitability for use in your environment. I encourage you to test these tools prior to acquisition and implementation.

User Activity Monitoring (UAM)

• Open Source HIDS SECurity (OSSEC) (https://www.ossec.net/)
• Security Onion (https://securityonion.net/)
  (Security Onion is a collection of tools for network traffic monitoring and logging.)
• Squid Proxy Server (http://www.squid-cache.org) and Dansguardian (https://www.smoothwall.com/)
  (Both tools can be combined to filter web content and log website visits. Dansguardian is not actively maintained.)
• Packet Capture Tools: Tcpdump (http://www.tcpdump.org/), NetworkMiner (https://www.netresec.com/?page=NetworkMiner), and Wireshark: (https://www.wireshark.org/)

Data Loss Prevention

• OpenDLP (https://github.com/ezarko/opendlp)
• MyDLP (https://www.mydlp.com/)

Security Information and Event Management (SIEM) Systems

• OSSIM (https://cybersecurity.att.com/products/ossim)
• LOGalyze (http://www.logalyze.com/)
• Enterprise Log Search and Archive (ELSA) (https://github.com/mcholste/elsa)
• The Elastic Stack (https://www.elastic.co/)

Analytics Tools

• Weka (https://www.cs.waikato.ac.nz/ml/weka/)
• RapidMiner (https://rapidminer.com/)

Digital Forensics Tools

• FTK Imager (https://accessdata.com/product-download?/support/product-downloads)
• Autopsy (http://www.sleuthkit.org/autopsy/)
• Volatility (https://www.volatilityfoundation.org/)
• SANS Investigative Forensic Toolkit (https://digital-forensics.sans.org/community/downloads)
• CERT Forensics Tools: ADIA (https://forensics.cert.org/)
• PALADIN: (https://sumuri.com/software/paladin/)

You can see from this partial list that there are quite a few options available to help you start planning for and implementing the technical aspects of your insider threat program. There are many other tools available that aren't listed, so I encourage you to explore other options. The goal of this blog series was to provide information as a means to get started.

If you have experience with other open source or freely available tools that could be leveraged in an insider threat program, I would like to hear from you. Please get in touch with me using the links provided below.